Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT/Embedded Security

10:55 AM
Larry Loeb
Larry Loeb
Larry Loeb

New IoT Device Regulation Establishes Base Line for Security

Legislation seeks to use the spending power of the government, which, if the bill goes through, will only be able to acquire those IoT devices that meet the bill's requirements.

Senators Mark R. Warner (D-VA), Cory Gardner (R-CO), Maggie Hassan (D-NH) and Steve Daines (R-MT), as well as representatives Robin Kelly (D-IL) and Will Hurd (R-TX) have introduced the IoT Cybersecurity Improvement Act of 2019.

The bill is a revision of the one that Sen. Warner first introduced in 2017. At that time, it made little progress. The overall approach of the bill is to use the spending power of the government to acquire only those IoT devices that meet the bill's requirements.

The bill calls on the National Institute of Standards and Technology (NIST) to do all the hard technical work by making recommendations for this class of device that look at identity management, patching, and their configuration.

NIST already has a draft document published that addresses these issues and has gone through a process of public comment. The bill is not operating in a vacuum. The EU recently published an IoT standard that seems to be reasonable, but has no enforcement teeth to it. It may well be that the document serves as a basis for enforcement under the EU's GDPR regulations.

In fact, the developers of the standard -- the European Telecommunications Standards Institute (ETSI) -- have said that the effort is "to establish a security baseline for Internet-connected consumer products and provide a basis for future IoT certification schemes."

California has also taken a legislative attempt at IoT security, with their law going into effect January 1, 2020. Exactly how their effort will work with the federal bill (if passed) has not yet been determined.

Phil Neray, VP of Industrial Cybersecurity at CyberX, commented on the bill in a statement to SecurityNow.

"IoT device manufacturers have typically deprioritized security in favor of faster time-to-market and lower costs," he noted. "As a result, many IoT devices have much weaker security than other devices upon which we depend such as laptops and cell phones, lacking even the most basic security features like simple patching and removal of hard-coded administrative passwords. As a result, IoT devices present a particularly soft target for adversaries, who use them as convenient entry-points to compromise our smart buildings, smart cities, and smart factories. This bipartisan bill is an important step towards steering IoT manufacturers in the direction of stronger security for all devices that fuel our hyper-connected world." His comments are reflective of the consensus view of IoT security: it's poor and driven by economic incentives that have a total lack of oversight.

Between the new federal legislation, the EU standards, and the California law that situation may be changing. The legislations are designed to ensure that there will be economic consequences for a manufacturer's poor security efforts: their devices will not be bought.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-09-26
btcpayserver is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
PUBLISHED: 2021-09-25
There is an information leak vulnerability in the message service app of a ZTE mobile phone. Due to improper parameter settings, attackers could use this vulnerability to obtain some sensitive information of users by accessing specific pages.
PUBLISHED: 2021-09-24
Shopkit v2.7 contains a reflective cross-site scripting (XSS) vulnerability in the /account/register component, which allows attackers to hijack user credentials via a crafted payload in the E-Mail text field.
PUBLISHED: 2021-09-24
A Cross-Site Request Forgery (CSRF) in Maccms v10 via admin.php/admin/admin/del/ids/<id>.html allows authenticated attackers to delete all users.
PUBLISHED: 2021-09-24
OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP trap supplied data. By creating a malicious SNMP trap, an attacker can store an XSS payload which will trigger when a user of the web UI views the events list page. This issue was fixed in ver...